@runsec/mcp 1.0.87 → 1.0.89

package/dist/index.js

@@ -623,6 +623,49 @@ function isTestOnlyPath(relPath) {
   if (base.includes("conftest.py") || base === "pytest.ini" || base.includes("jest.config")) return true;
   return false;
 }
+function isDevOrLocalConfigPath(relPath) {
+  const r = relPath.toLowerCase().replace(/\\/g, "/");
+  const base = import_node_path3.default.posix.basename(r);
+  if (isTestOnlyPath(relPath)) return true;
+  if (/-dev\b|\.dev\.|\/dev\/|docker-compose-dev|compose\.dev|local\.|\.local\.|\.env\.example|\.env\.sample|\.env\.template/.test(r)) {
+    return true;
+  }
+  if (base.startsWith("test_") || base.includes(".test.") || base.includes(".spec.")) return true;
+  return false;
+}
+function isProductionCoreConfigPath(relPath) {
+  const r = relPath.toLowerCase().replace(/\\/g, "/");
+  const base = import_node_path3.default.posix.basename(r);
+  if (isDevOrLocalConfigPath(relPath)) return false;
+  if (base === "settings.py" || base === "production.py" || base === "prod.py") return true;
+  if (/\/settings\/production\.py$/.test(r) || /\/config\/production\./.test(r)) return true;
+  if (base.includes("production") && !base.includes("non-production")) return true;
+  return false;
+}
+var ALLOWED_HOSTS_WILDCARD_RE = /allowed_hosts\s*=\s*\[\s*['"]\*['"]\s*\]|allowed_hosts\s*=\s*\{\s*['"]\*['"]\s*\}/i;
+function isHighImpactProductionMisconfig(finding, relPath) {
+  if (finding.category !== "code") return false;
+  if (!isProductionCoreConfigPath(relPath)) return false;
+  const blob = `${finding.snippet ?? ""} ${finding.match_text ?? ""} ${finding.description ?? ""}`;
+  return ALLOWED_HOSTS_WILDCARD_RE.test(blob);
+}
+function computeDynamicCodeConfidence(finding, relPath, sev) {
+  const reasons = [];
+  let score;
+  if (sev === "CRITICAL" || sev === "ERROR") score = 0.9;
+  else if (sev === "WARNING" || sev === "HIGH") score = 0.78;
+  else if (sev === "MEDIUM") score = 0.62;
+  else score = 0.48;
+  if (isHighImpactProductionMisconfig(finding, relPath)) {
+    score = Math.max(score, 0.94);
+    reasons.push("production_core_misconfig_elevated");
+  }
+  if (isDevOrLocalConfigPath(relPath)) {
+    score = Math.min(score, 0.1);
+    reasons.push("dev_or_local_config_clamped");
+  }
+  return { score, reasons };
+}
 function combinedTitleAndMessage(finding) {
   return `${finding.description} ${finding.match_text}`.trim();
 }
@@ -965,9 +1008,9 @@ function baseConfidenceForFinding(finding, phase1, relPath, category, repoRoot)
   const title = finding.title ?? finding.description;
   const sev = (finding.severity || "").toUpperCase();
   if (category === "code") {
-    if (sev === "CRITICAL" || sev === "ERROR") score = 0.92;
-    else if (sev === "WARNING" || sev === "HIGH") score = 0.84;
-    else score = 0.55;
+    const dynamic = computeDynamicCodeConfidence(finding, relPath, sev);
+    score = dynamic.score;
+    reasons.push(...dynamic.reasons);
   } else if (category === "secrets") {
     if (sev === "CRITICAL") score = 0.95;
     else if (findingIsVerified(finding) || finding.match_text.includes("(verified)")) score = 0.93;
@@ -1287,9 +1330,13 @@ var CWE_NAMES = {
   "CWE-639": "Authorization Bypass Through User-Controlled Key",
   "CWE-770": "Allocation of Resources Without Limits or Throttling",
   "CWE-798": "Use of Hard-coded Credentials",
+  "CWE-312": "Cleartext Storage of Sensitive Information",
+  "CWE-494": "Download of Code Without Integrity Check",
+  "CWE-1188": "Insecure Default Initialization of Resource",
   "CWE-915": "Improperly Controlled Modification of Dynamically-Determined Object Attributes",
   "CWE-918": "Server-Side Request Forgery",
-  "CWE-1336": "Improper Neutralization of Special Elements in Template Engine"
+  "CWE-1336": "Improper Neutralization of Special Elements in Template Engine",
+  "CWE-1104": "Use of Unmaintained Third Party Components"
 };
 var CVSS_MAP = {
   "CWE-89": [9.8, "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"],
@@ -1324,12 +1371,13 @@ function extractCweDeepFallback(result) {
   const match = blob.match(CWE_RE);
   return match ? match[0].toUpperCase() : null;
 }
-var UNKNOWN_CWE_TYPE_LABEL = "Unknown Vulnerability Type";
 function formatCweDisplay(cweId) {
   const normalized = cweId.match(CWE_RE)?.[0]?.toUpperCase();
-  if (!normalized || normalized === "UNKNOWN") return "Unknown CWE";
+  if (!normalized || normalized === "UNKNOWN") {
+    return "CWE-494: Download of Code Without Integrity Check";
+  }
   const name = CWE_NAMES[normalized];
-  return name ? `${normalized}: ${name}` : `${normalized}: ${UNKNOWN_CWE_TYPE_LABEL}`;
+  return name ? `${normalized}: ${name}` : `${normalized}: Security Weakness (Unmapped CWE)`;
 }
 function calculateCvss(cweId, semgrepSeverity = "WARNING") {
   const normalized = cweId.match(CWE_RE)?.[0]?.toUpperCase();
@@ -1662,6 +1710,59 @@ function formatAsvsLevelDisplay(level) {
   return `Level ${normalized.replace(/^L/i, "")}`;
 }
 
+// src/rules/cweMapper.ts
+var CWE_RE2 = /CWE-\d+/i;
+var SECRET_RULE_RE = /trufflehog|(?:^|\.)secrets\.|cloud-secrets|sec-\d{3}|hard[-_]?coded|credential|api[-_]?key|token|password|vault|customregex/i;
+var INPUT_RULE_RE = /domain[-_]?input|validation|allowed_hosts|host[-_]?header|ssrf|xss|sqli|sql[-_]?injection|csrf|injection|sanitize|origin|dja-|div-|fas-016|nst-014|ruby-017|aac-001/i;
+var INFRA_RULE_RE = /infra|k8s|helm|docker|compose|terraform|tf-|deployment|hardening|cis-|kube|container|image:|pinned|sbom|syft/i;
+function normalizeCweToken(value) {
+  if (typeof value !== "string") return null;
+  const match = value.trim().match(CWE_RE2);
+  return match ? match[0].toUpperCase() : null;
+}
+function classifyRuleForCweFallback(ruleId, category, description) {
+  if (category === "secrets") return "secret";
+  if (category === "dependencies") return "infra";
+  const blob = `${ruleId} ${description ?? ""}`.toLowerCase();
+  if (SECRET_RULE_RE.test(blob)) return "secret";
+  if (INPUT_RULE_RE.test(blob)) return "input";
+  if (INFRA_RULE_RE.test(blob)) return "infra";
+  return "generic";
+}
+function fallbackCweForKind(kind) {
+  switch (kind) {
+    case "secret":
+      return "CWE-798";
+    case "input":
+      return "CWE-20";
+    case "infra":
+      return "CWE-1188";
+    default:
+      return "CWE-494";
+  }
+}
+function resolveCweId(input) {
+  const fromField = normalizeCweToken(input.cwe);
+  if (fromField) return fromField;
+  const fromName = normalizeCweToken(input.cwe_name);
+  if (fromName) return fromName;
+  const kind = classifyRuleForCweFallback(
+    String(input.rule_id ?? ""),
+    input.category,
+    input.description
+  );
+  return fallbackCweForKind(kind);
+}
+function resolveCweDisplay(input) {
+  const existing = String(input.cwe_name ?? "").trim();
+  const existingId = normalizeCweToken(existing);
+  if (existingId && !/unknown/i.test(existing)) {
+    return formatCweDisplay(existingId);
+  }
+  const cweId = resolveCweId(input);
+  return formatCweDisplay(cweId);
+}
+
 // src/engine/semgrepMapping.ts
 function normalizeRelativePath(value) {
   return value.replace(/\\/g, "/");
@@ -1756,7 +1857,13 @@ function mapSemgrepResultToFinding(result, workspaceRoot) {
     metadata: result.extra?.metadata,
     message
   });
-  const cwe = semgrepCwe !== "UNKNOWN" ? semgrepCwe : registryRule?.cwe && registryRule.cwe !== "UNKNOWN" ? registryRule.cwe : fallbackMeta.cwe;
+  const rawCwe = semgrepCwe !== "UNKNOWN" ? semgrepCwe : registryRule?.cwe && registryRule.cwe !== "UNKNOWN" ? registryRule.cwe : fallbackMeta.cwe;
+  const cwe = resolveCweId({
+    cwe: rawCwe,
+    rule_id: registryRule?.id ?? checkId,
+    category: "code",
+    description: message
+  });
   const metadata = result.extra?.metadata;
   const remediation = extractRemediationFromMetadata(metadata);
   const remediation_lang = extractRemediationLangFromMetadata(metadata);
@@ -1775,7 +1882,7 @@ function mapSemgrepResultToFinding(result, workspaceRoot) {
     category: "code",
     rule_id: registryRule?.id ?? checkId,
     cwe,
-    cwe_name: formatCweDisplay(cwe),
+    cwe_name: resolveCweDisplay({ cwe, rule_id: registryRule?.id ?? checkId, category: "code", description: message }),
     severity: contextSeverity.severity,
     original_severity,
     description: message || registryRule?.description || checkId,
@@ -1871,10 +1978,13 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
     const display = redacted || rawSecret || "[secret redacted]";
     const description = `TruffleHog: exposed ${detector}${verified ? " (verified)" : ""}`;
     const severity = severityForSecret(detector, verified);
+    const rule_id = `runsec.secrets.trufflehog.${detector.toLowerCase().replace(/\s+/g, "-")}`;
+    const cwe = resolveCweId({ cwe: "CWE-798", rule_id, category: "secrets", description, detector_name: detector });
     findings.push({
       category: "secrets",
-      rule_id: `runsec.secrets.trufflehog.${detector.toLowerCase().replace(/\s+/g, "-")}`,
-      cwe: "CWE-798",
+      rule_id,
+      cwe,
+      cwe_name: resolveCweDisplay({ cwe, rule_id, category: "secrets", description, detector_name: detector }),
       stackTags: ["Secrets"],
       asvsLevel: "L1",
       asvsTrace: "V6.4.1",
@@ -3328,6 +3438,7 @@ function loadVersion() {
 var RUNSEC_MCP_VERSION = loadVersion();
 
 // src/engine/reportFormatter.ts
+var ALLOWED_HOSTS_WILDCARD_RE2 = /allowed_hosts\s*=\s*\[\s*['"]\*['"]\s*\]|allowed_hosts\s*=\s*\{\s*['"]\*['"]\s*\}/i;
 var REPORT_SECTION_TITLES = {
   code: "Code Vulnerabilities",
   secrets: "Exposed Secrets",
@@ -3386,10 +3497,103 @@ function normalizeCategory(row) {
   const c = row.category;
   if (c === "secrets" || c === "dependencies" || c === "code") return c;
   const rule = String(row.rule_id ?? "").toLowerCase();
-  if (rule.includes("trufflehog") || rule.includes("secrets")) return "secrets";
-  if (rule.includes("syft") || rule.includes("dependencies")) return "dependencies";
+  if (rule.includes("trufflehog") || row.detector_name) return "secrets";
+  if (rule.includes("syft") || rule.includes("sbom")) return "dependencies";
   return "code";
 }
+function serviceComponentFromPath(filePath) {
+  const normalized = String(filePath ?? "").replace(/\\/g, "/");
+  const parts = normalized.split("/").filter(Boolean);
+  if (parts.length === 0) return "workspace";
+  if (parts[0] === "src" && parts[1]) return parts[1];
+  if (["app", "apps", "services", "packages", "deploy", "infra", "config"].includes(parts[0]) && parts[1]) {
+    return `${parts[0]}/${parts[1]}`;
+  }
+  return parts[0];
+}
+function buildComponentMatrix(primary, suppressed) {
+  const map = /* @__PURE__ */ new Map();
+  const touch = (filePath) => {
+    const key = serviceComponentFromPath(filePath);
+    let row = map.get(key);
+    if (!row) {
+      row = { component: key, critical: 0, high: 0, medium: 0, suppressed: 0 };
+      map.set(key, row);
+    }
+    return row;
+  };
+  for (const f of primary) {
+    const row = touch(String(f.file_path ?? "workspace"));
+    const sev = normalizeSeverity(f.severity);
+    if (sev === "CRITICAL") row.critical += 1;
+    else if (sev === "HIGH") row.high += 1;
+    else if (sev === "MEDIUM") row.medium += 1;
+  }
+  for (const f of suppressed) {
+    touch(String(f.file_path ?? "workspace")).suppressed += 1;
+  }
+  return Array.from(map.values()).sort(
+    (a, b) => b.critical + b.high + b.medium + b.suppressed - (a.critical + a.high + a.medium + a.suppressed) || a.component.localeCompare(b.component)
+  );
+}
+function buildDeveloperTopActions(findings, limit = 3) {
+  const ranked = [...findings].sort((a, b) => {
+    const sev = severityRank(a.severity) - severityRank(b.severity);
+    if (sev !== 0) return sev;
+    const confA = typeof a.confidence_score === "number" ? a.confidence_score : 0;
+    const confB = typeof b.confidence_score === "number" ? b.confidence_score : 0;
+    return confB - confA;
+  });
+  const out = [];
+  for (const f of ranked) {
+    if (out.length >= limit) break;
+    out.push({
+      file_path: String(f.file_path ?? "unknown"),
+      line: Number(f.line ?? 0),
+      severity: normalizeSeverity(f.severity),
+      rule_id: String(f.rule_id ?? "unknown_rule"),
+      description: String(f.description ?? f.rule_id ?? "Security finding")
+    });
+  }
+  return out;
+}
+function buildProofOfConcept(group, example) {
+  const blob = `${group.description} ${example?.snippet ?? ""} ${group.rule_id}`;
+  if (ALLOWED_HOSTS_WILDCARD_RE2.test(blob) || /dja-005|insecure allowed_hosts/i.test(blob)) {
+    return {
+      bash: [
+        "# Host header poisoning \u2014 run only against systems you are authorized to test",
+        'curl -i -H "Host: evil-attacker.com" "https://<your-production-domain>/"'
+      ].join("\n")
+    };
+  }
+  if (/\bssrf\b|cwe-918|aac-001|nst-014|ruby-017|fas-016/i.test(blob)) {
+    return {
+      bash: [
+        "# SSRF/metadata probe \u2014 should be blocked by egress controls",
+        'curl -i --max-time 3 "http://169.254.169.254/latest/meta-data/"'
+      ].join("\n")
+    };
+  }
+  if (/csrf|cwe-352/i.test(blob)) {
+    return {
+      bash: [
+        "# CSRF check \u2014 confirm state-changing routes require anti-CSRF token",
+        'curl -i -X POST "https://<your-production-domain>/api/state-changing" -H "Cookie: session=<value>"'
+      ].join("\n")
+    };
+  }
+  return null;
+}
+function formatRemediationAsDiff(remediation, example, description) {
+  const fix = remediation.trim();
+  if (!fix || !example?.snippet?.trim() || example.snippet === NO_CODE_SNIPPET) return fix;
+  if (description && fix === description.trim()) return fix;
+  const bad = example.snippet.trim();
+  if (bad.includes("\n") || fix.includes("\n")) return fix;
+  if (bad === fix) return fix;
+  return ["--- vulnerable", "+++ recommended", `-${bad}`, `+${fix}`].join("\n");
+}
 var SEVERITY_RANK = {
   CRITICAL: 0,
   ERROR: 0,
@@ -3478,63 +3682,6 @@ function formatStackTagsInline(tags) {
   if (!tags.length) return "";
   return tags.map((t) => `**[${safeText(t)}]**`).join(" ");
 }
-var TECH_STACK_BY_EXT = {
-  ".py": "Python",
-  ".js": "JavaScript/TypeScript",
-  ".jsx": "JavaScript/TypeScript",
-  ".mjs": "JavaScript/TypeScript",
-  ".cjs": "JavaScript/TypeScript",
-  ".ts": "JavaScript/TypeScript",
-  ".tsx": "JavaScript/TypeScript",
-  ".java": "Java",
-  ".kt": "Kotlin",
-  ".kts": "Kotlin",
-  ".go": "Go",
-  ".dart": "Dart",
-  ".rb": "Ruby",
-  ".php": "PHP",
-  ".rs": "Rust",
-  ".cs": "C#",
-  ".cpp": "C++",
-  ".cc": "C++",
-  ".c": "C",
-  ".h": "C/C++ Header",
-  ".swift": "Swift",
-  ".scala": "Scala",
-  ".yaml": "YAML",
-  ".yml": "YAML",
-  ".json": "JSON",
-  ".xml": "XML",
-  ".tf": "Terraform",
-  ".vue": "Vue",
-  ".svelte": "Svelte",
-  ".sql": "SQL",
-  ".sh": "Shell",
-  ".bash": "Shell",
-  ".zsh": "Shell",
-  ".ps1": "PowerShell",
-  ".gradle": "Gradle",
-  ".properties": "Properties",
-  ".toml": "TOML",
-  ".ini": "INI",
-  ".conf": "Config",
-  ".md": "Markdown"
-};
-function techStackFromFilePath(filePath) {
-  const normalized = String(filePath ?? "").replace(/\\/g, "/");
-  const base = import_node_path16.default.basename(normalized).toLowerCase();
-  if (base === "dockerfile" || base.startsWith("dockerfile.")) return "Docker";
-  const ext = import_node_path16.default.extname(normalized).toLowerCase();
-  return TECH_STACK_BY_EXT[ext] ?? "Other";
-}
-function countFindingsByTechStack(findings) {
-  const counts = /* @__PURE__ */ new Map();
-  for (const row of findings) {
-    const stack = techStackFromFilePath(String(row.file_path ?? ""));
-    counts.set(stack, (counts.get(stack) ?? 0) + 1);
-  }
-  return Array.from(counts.entries()).map(([tag, count]) => ({ tag, count })).sort((a, b) => b.count - a.count || a.tag.localeCompare(b.tag));
-}
 function suppressionReasonLabel(finding) {
   const reason = String(finding.suppression_reason ?? "").trim();
   if (reason) return reason;
@@ -3544,76 +3691,32 @@ function suppressionReasonLabel(finding) {
   return "cognitive_suppressed";
 }
 function renderSuppressedFindingsSection(suppressed) {
-  const out = [];
-  if (suppressed.length === 0) return out;
+  if (suppressed.length === 0) return [];
   const byReason = /* @__PURE__ */ new Map();
   for (const row of suppressed) {
     const key = suppressionReasonLabel(row);
-    const bucket = byReason.get(key);
-    if (bucket) bucket.push(row);
-    else byReason.set(key, [row]);
+    byReason.set(key, (byReason.get(key) ?? 0) + 1);
   }
+  const out = [];
   out.push("---");
-  out.push(`## Appendix: Cognitively suppressed findings (${suppressed.length})`);
+  out.push("<details>");
+  out.push(`<summary>Appendix: Cognitive suppression summary (${suppressed.length} items)</summary>`);
   out.push("");
   out.push(
-    "These TruffleHog/Semgrep hits were processed by the cognitive engine and scored below the primary report threshold (0.8). They do **not** change `X-RunSec-Verdict`."
+    "Findings below the primary confidence threshold (0.8) or nuclear-hard-dropped. They do not affect `X-RunSec-Verdict`."
   );
   out.push("");
   out.push("| Suppression reason | Count |");
   out.push("|---|---:|");
-  const sortedReasons = Array.from(byReason.entries()).sort((a, b) => b[1].length - a[1].length);
-  for (const [reason, rows] of sortedReasons) {
-    out.push(`| \`${safeText(reason)}\` | ${rows.length} |`);
-  }
-  const maxFilesPerReason = 40;
-  for (const [reason, rows] of sortedReasons) {
-    out.push("");
-    out.push(`### ${safeText(reason)} (${rows.length})`);
-    out.push("");
-    out.push("**Affected files:**");
-    const locations = [
-      ...new Set(
-        rows.map((row) => `${String(row.file_path || "unknown")}:${Number(row.line ?? 0)}`)
-      )
-    ].sort();
-    for (const loc of locations.slice(0, maxFilesPerReason)) {
-      out.push(`- \`${safeText(loc)}\``);
-    }
-    if (locations.length > maxFilesPerReason) {
-      out.push(`- _+${locations.length - maxFilesPerReason} additional locations omitted._`);
-    }
-    const sample = rows.find((r) => String(r.snippet ?? r.match_text ?? "").trim());
-    const sampleText = String(sample?.snippet ?? sample?.match_text ?? "").trim();
-    if (sampleText) {
-      out.push("");
-      out.push("**Example snippet:**");
-      out.push("");
-      out.push("```text");
-      out.push(safeText(sampleText.slice(0, 400)));
-      out.push("```");
-    }
+  const sortedReasons = Array.from(byReason.entries()).sort((a, b) => b[1] - a[1]);
+  for (const [reason, count] of sortedReasons) {
+    out.push(`| \`${safeText(reason)}\` | ${count} |`);
   }
-  return out;
-}
-function renderTechStackSummary(findings) {
-  const rows = countFindingsByTechStack(findings);
-  const out = [];
-  out.push("### Findings by tech stack");
   out.push("");
-  if (rows.length === 0) {
-    out.push("_No findings to summarize by file type._");
-    return out;
-  }
-  out.push("| Tech stack | Findings |");
-  out.push("|---|---:|");
-  for (const { tag, count } of rows.slice(0, 20)) {
-    out.push(`| ${safeText(tag)} | ${count} |`);
-  }
-  if (rows.length > 20) {
-    out.push("");
-    out.push(`_+${rows.length - 20} additional stacks omitted._`);
-  }
+  out.push(
+    "_Per-file listings omitted to reduce noise. Re-run with verbose telemetry or inspect engine JSON for full paths._"
+  );
+  out.push("</details>");
   return out;
 }
 function groupFindingsByRule(findings) {
@@ -3626,8 +3729,22 @@ function groupFindingsByRule(findings) {
         rule_id: ruleId,
         description: String(f.description || ruleId),
         severity: normalizeSeverity(f.severity),
-        cwe: f.cwe != null && String(f.cwe).trim() !== "" ? String(f.cwe) : "UNKNOWN",
-        cwe_name: String(f.cwe_name || f.cwe || "Unknown CWE"),
+        cwe: resolveCweId({
+          cwe: f.cwe,
+          cwe_name: f.cwe_name,
+          rule_id: ruleId,
+          category: normalizeCategory(f),
+          description: f.description,
+          detector_name: f.detector_name
+        }),
+        cwe_name: resolveCweDisplay({
+          cwe: f.cwe,
+          cwe_name: f.cwe_name,
+          rule_id: ruleId,
+          category: normalizeCategory(f),
+          description: f.description,
+          detector_name: f.detector_name
+        }),
         remediation: String(f.remediation || "").trim(),
         metadata: {
           remediation_lang: f.metadata?.remediation_lang?.trim() || void 0
@@ -3705,7 +3822,7 @@ function countSeverity(findings) {
   }
   return { critical, high, medium, low };
 }
-function renderFindingRows(findings) {
+function renderFindingRows(findings, category) {
   const out = [];
   if (findings.length === 0) {
     out.push("_No findings in this category._");
@@ -3713,56 +3830,101 @@ function renderFindingRows(findings) {
   }
   for (const group of groupFindingsByRule(findings)) {
     const metric = shortRuleLabel(group.rule_id);
-    const conf = typeof group.confidence_score === "number" ? `Confidence: ${group.confidence_score.toFixed(2)} | ` : "";
+    const conf = typeof group.confidence_score === "number" ? ` (confidence ${group.confidence_score.toFixed(2)})` : "";
     const cweLabel = safeText(group.cwe_name || group.cwe);
-    const stackInline = formatStackTagsInline(group.stackTags);
-    const cvssLine = typeof group.cvss_score === "number" ? `**CVSS:** ${group.cvss_score.toFixed(1)}${group.cvss_vector ? ` (\`${safeText(group.cvss_vector)}\`)` : ""}` : "";
-    const asvsLevelText = formatAsvsLevelDisplay(group.asvsLevel);
-    const asvsLine = asvsLevelText && group.asvsTrace ? `**ASVS:** ${asvsLevelText} (${safeText(group.asvsTrace)})` : asvsLevelText ? `**ASVS:** ${asvsLevelText}` : group.asvsTrace ? `**ASVS:** ${safeText(group.asvsTrace)}` : "";
-    out.push(
-      `**[${normalizeSeverity(group.severity)}]** \`${safeText(group.rule_id)}\` (${metric})`
-    );
-    if (group.description.trim()) {
+    const example = group.exampleOccurrence ?? group.occurrences[0];
+    const primaryLoc = example ? `\`${safeText(example.file_path)}:${example.line}\`` : "`unknown:0`";
+    out.push(`### ${normalizeSeverity(group.severity)} \u2014 \`${safeText(group.rule_id)}\` (${metric})${conf}`);
+    out.push("");
+    out.push(`**Target location:** ${primaryLoc}`);
+    if (group.occurrences.length > 1) {
       out.push("");
-      out.push(safeText(group.description));
+      out.push("**Additional locations:**");
+      for (const occ of group.occurrences.slice(0, 12)) {
+        out.push(`- \`${safeText(occ.file_path)}:${occ.line}\``);
+      }
+      if (group.occurrences.length > 12) {
+        out.push(`- _+${group.occurrences.length - 12} more omitted_`);
+      }
     }
     out.push("");
-    out.push(
-      `${conf}**CWE:** ${cweLabel}${stackInline ? ` ${stackInline}` : ""}`
-    );
-    if (cvssLine) {
-      out.push(cvssLine);
-    }
-    if (asvsLine) {
-      out.push(asvsLine);
-    }
+    out.push("**Problem description:**");
     out.push("");
-    out.push("**Affected Files:**");
-    for (const occ of group.occurrences) {
-      out.push(`- \`${safeText(occ.file_path)}:${occ.line}\``);
+    out.push(safeText(group.description.trim() || group.rule_id));
+    out.push("");
+    out.push(`**CWE:** ${cweLabel}`);
+    const stackInline = formatStackTagsInline(group.stackTags);
+    if (stackInline) out.push(stackInline);
+    if (typeof group.cvss_score === "number") {
+      out.push(
+        `**CVSS:** ${group.cvss_score.toFixed(1)}${group.cvss_vector ? ` (\`${safeText(group.cvss_vector)}\`)` : ""}`
+      );
+    }
+    const asvsLevelText = formatAsvsLevelDisplay(group.asvsLevel);
+    if (asvsLevelText) {
+      out.push(
+        `**ASVS:** ${asvsLevelText}${group.asvsTrace ? ` (${safeText(group.asvsTrace)})` : ""}`
+      );
     }
     out.push("");
-    const example = group.exampleOccurrence;
-    if (example) {
+    if (example && isUsableSnippet(example.snippet)) {
       const lang = snippetLanguage(example.file_path);
-      out.push(`**Example Snippet** (from \`${safeText(example.file_path)}:${example.line}\`):`);
+      out.push("**Code snippet:**");
       out.push("");
       out.push("```" + lang);
       out.push(example.snippet);
       out.push("```");
       out.push("");
     }
+    if (category === "code") {
+      const poc = buildProofOfConcept(group, example);
+      if (poc) {
+        out.push("**Proof of Concept (Instant Verification):**");
+        out.push("");
+        out.push("```bash");
+        out.push(poc.bash);
+        out.push("```");
+        out.push("");
+      }
+    }
     const remediationText = remediationForGroup(group);
     const remediationLang = remediationFenceLanguage(group);
-    out.push("### Remediation");
+    const diffText = formatRemediationAsDiff(remediationText, example, group.description);
+    out.push("**Contextual remediation:**");
     out.push("");
     out.push("```" + remediationLang);
-    out.push(remediationText);
+    out.push(diffText);
     out.push("```");
     out.push("");
   }
   return out;
 }
+function renderComplianceAuditorSection(standard, findings) {
+  const out = [];
+  out.push("### For Compliance Auditors");
+  out.push("");
+  const cweSet = new Set(findings.map((f) => resolveCweId({ cwe: f.cwe, rule_id: f.rule_id, category: f.category, description: f.description })));
+  const hasSecrets = findings.some((f) => normalizeCategory(f) === "secrets");
+  const hasInput = [...cweSet].some((c) => /CWE-(20|79|89|346|352|918)/.test(c));
+  const hasCrypto = [...cweSet].some((c) => /CWE-(327|295|347)/.test(c));
+  out.push("| Baseline | Applicable controls | Scan signal |");
+  out.push("|---|---|---|");
+  out.push(
+    `| SOC 2 Trust Services Criteria (Security) | CC6.1 Logical access, CC7.2 System monitoring | ${hasSecrets ? "Secret exposure patterns detected" : "No primary secret findings"} |`
+  );
+  out.push(
+    `| PCI-DSS v4.0 | Req. 6.2 Secure development, Req. 6.4 Public-facing vulnerabilities | ${hasInput ? "Input validation / injection class findings present" : "No primary injection-class findings"} |`
+  );
+  out.push(
+    `| OWASP ASVS (mapped) | V5 Validation / V13 API / V14 Config | ${findings.length ? `${findings.length} primary finding(s) with ASVS traces where available` : "Clean primary log"} |`
+  );
+  if (hasCrypto) {
+    out.push(`| Cryptographic controls | ASVS V13.2 / PCI 3.5 | Weak crypto or TLS findings in primary log |`);
+  }
+  out.push("");
+  out.push(`_Audit standard selected for this run: **${safeText(standard)}**._`);
+  return out;
+}
 function buildServerSideReportMarkdown(standard, findings, metrics) {
   const verdictLabel = metrics.verdict?.http_headers?.["X-RunSec-Verdict"] ?? metrics.verdict?.status ?? "PASS";
   const allSev = countSeverity(findings);
@@ -3775,62 +3937,96 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
     byCategory[normalizeCategory(row)].push(row);
   }
   const es = metrics.engine_summary;
+  const suppressedRows = Array.isArray(metrics.findings_suppressed) ? metrics.findings_suppressed : [];
+  const cognitiveSuppressed = Number(metrics.cognitive_suppressed_count ?? suppressedRows.length);
+  const rawSecrets = es?.trufflehog?.finding_count ?? metrics.cognitive?.findings_total ?? 0;
   const out = [];
-  out.push(`# RunSec Unified Security Report`);
+  out.push(`# RunSec Security Report`);
   out.push("");
-  out.push(`**Generated at:** ${(/* @__PURE__ */ new Date()).toISOString()}`);
-  out.push(`**MCP package:** \`@runsec/mcp@${safeText(RUNSEC_MCP_VERSION)}\``);
-  out.push(`**Standard:** ${safeText(standard)}`);
-  out.push(`**X-RunSec-Verdict:** \`${safeText(verdictLabel)}\`${metrics.verdict?.is_safe === false && metrics.verdict.fail_reason ? ` \u2014 ${safeText(metrics.verdict.fail_reason)}` : ""}`);
+  out.push("| | |");
+  out.push("|---|---|");
+  out.push(`| **X-RunSec-Verdict** | \`${safeText(verdictLabel)}\`${metrics.verdict?.is_safe === false && metrics.verdict.fail_reason ? ` \u2014 ${safeText(metrics.verdict.fail_reason)}` : ""} |`);
+  out.push(`| **Generated at** | ${(/* @__PURE__ */ new Date()).toISOString()} |`);
+  out.push(`| **MCP package** | \`@runsec/mcp@${safeText(RUNSEC_MCP_VERSION)}\` |`);
+  out.push(`| **AI cognitive noise suppressed** | ${cognitiveSuppressed} |`);
+  out.push(`| **Standard** | ${safeText(standard)} |`);
   out.push(
-    `**Scan time:** ${Number(metrics.duration_ms || 0)}ms | **Files scanned:** ${Number(metrics.scanned_files_count || 0)} | **Rules:** ${Number(metrics.total_rules || 0)}`
+    `| **Scan** | ${Number(metrics.duration_ms || 0)}ms \xB7 ${Number(metrics.scanned_files_count || 0)} files \xB7 ${Number(metrics.total_rules || 0)} rules |`
   );
   if (metrics.engines) {
     out.push(
-      `**Engines (concurrent):** Semgrep \`${safeText(metrics.engines.semgrep ?? "n/a")}\` | TruffleHog \`${safeText(metrics.engines.trufflehog ?? "n/a")}\` | Syft \`${safeText(metrics.engines.syft ?? "n/a")}\`${es?.concurrent_duration_ms != null ? ` | **Wall time:** ${es.concurrent_duration_ms}ms` : ""}`
+      `| **Engines** | Semgrep \`${safeText(metrics.engines.semgrep ?? "n/a")}\` \xB7 TruffleHog \`${safeText(metrics.engines.trufflehog ?? "n/a")}\` \xB7 Syft \`${safeText(metrics.engines.syft ?? "n/a")}\`${es?.concurrent_duration_ms != null ? ` \xB7 ${es.concurrent_duration_ms}ms wall` : ""} |`
     );
   }
   if (es) {
     out.push(
-      `**Raw engine counts (pre-cognitive):** Code ${es.semgrep?.finding_count ?? 0} | Secrets ${rawEngineCountLabel("trufflehog", es)} | Dependencies ${rawEngineCountLabel("syft", es)}`
+      `| **Raw engine counts** | Code ${es.semgrep?.finding_count ?? 0} \xB7 Secrets ${rawEngineCountLabel("trufflehog", es)} \xB7 Dependencies ${rawEngineCountLabel("syft", es)} |`
     );
   }
   out.push("");
   out.push("---");
-  out.push("## Executive summary");
-  out.push(
-    `- **CRITICAL:** ${allSev.critical} | **HIGH:** ${allSev.high} | **MEDIUM:** ${allSev.medium} | **LOW:** ${allSev.low}`
-  );
+  out.push("## Executive Summary");
+  out.push("");
   out.push(
-    `- **Code Vulnerabilities:** ${byCategory.code.length} | **Exposed Secrets:** ${executiveCategoryLabel("secrets", byCategory.secrets.length, es)} | **Vulnerable Dependencies:** ${executiveCategoryLabel("dependencies", byCategory.dependencies.length, es)}`
+    `**Primary severity:** CRITICAL ${allSev.critical} \xB7 HIGH ${allSev.high} \xB7 MEDIUM ${allSev.medium} \xB7 LOW ${allSev.low} \xB7 Primary findings ${findings.length}`
   );
-  const suppressedRows = Array.isArray(metrics.findings_suppressed) ? metrics.findings_suppressed : [];
-  const rawSecrets = es?.trufflehog?.finding_count ?? metrics.cognitive?.findings_total ?? 0;
   out.push(
-    `- **Primary findings (cognitive-filtered):** ${findings.length} | **Suppressed (.runsecignore):** ${Number(metrics.suppressed_fp_count || 0)} | **Suppressed (cognitive):** ${Number(metrics.cognitive_suppressed_count ?? suppressedRows.length)}`
+    `**By engine (primary log):** Code (Semgrep) ${byCategory.code.length} \xB7 Secrets (TruffleHog) ${executiveCategoryLabel("secrets", byCategory.secrets.length, es)} \xB7 Dependencies (Syft) ${executiveCategoryLabel("dependencies", byCategory.dependencies.length, es)}`
   );
   if (Number(rawSecrets) > 0 && findings.length === 0 && suppressedRows.length > 0) {
-    out.push(
-      `- **Raw TruffleHog hits:** ${rawSecrets} \u2014 see **Appendix: Cognitively suppressed findings** below.`
-    );
+    out.push(`**Note:** ${rawSecrets} raw TruffleHog hits were cognitively suppressed \u2014 see appendix.`);
   }
   out.push("");
-  out.push(...renderTechStackSummary([...findings, ...suppressedRows]));
+  out.push("### For Developers (Actionable Top 3)");
+  out.push("");
+  const topActions = buildDeveloperTopActions(findings, 3);
+  if (topActions.length === 0) {
+    out.push("- No blocking primary findings \u2014 maintain secure defaults on the next change set.");
+  } else {
+    for (const item of topActions) {
+      out.push(
+        `- **[${item.severity}]** \`${safeText(item.file_path)}:${item.line}\` \u2014 ${safeText(item.description)} (\`${safeText(item.rule_id)}\`)`
+      );
+    }
+  }
+  out.push("");
+  out.push("### For Tech Leads (Component Vulnerability Matrix)");
+  out.push("");
+  const matrix = buildComponentMatrix(findings, suppressedRows);
+  if (matrix.length === 0) {
+    out.push("_No component-level signal in the primary or suppressed logs._");
+  } else {
+    out.push("| Service/Component | CRITICAL | HIGH | MEDIUM | Suppressed Noise |");
+    out.push("|---|---:|---:|---:|---:|");
+    for (const row of matrix.slice(0, 24)) {
+      out.push(
+        `| ${safeText(row.component)} | ${row.critical} | ${row.high} | ${row.medium} | ${row.suppressed} |`
+      );
+    }
+    if (matrix.length > 24) {
+      out.push(`| _+${matrix.length - 24} components omitted_ | | | | |`);
+    }
+  }
+  out.push("");
+  out.push(...renderComplianceAuditorSection(standard, findings));
+  out.push("");
+  out.push("---");
+  out.push("## Detailed Findings");
   out.push("");
   let sectionNum = 1;
   for (const category of CATEGORY_ORDER) {
     const rows = byCategory[category];
     const engineTag = category === "code" ? "Semgrep" : category === "secrets" ? "TruffleHog" : "Syft SBOM";
-    out.push("---");
-    out.push(`## ${sectionNum}. ${REPORT_SECTION_TITLES[category]} (${engineTag})`);
+    out.push(`### ${sectionNum}. ${REPORT_SECTION_TITLES[category]} (${engineTag})`);
     out.push(...renderCategorySectionSummary(category, rows, es, metrics));
     out.push("");
-    out.push(...renderFindingRows(rows));
+    out.push(...renderFindingRows(rows, category));
     sectionNum += 1;
   }
   out.push(...renderSuppressedFindingsSection(suppressedRows));
   out.push("---");
-  out.push("<details><summary>Telemetry (machine)</summary>\n");
+  out.push("<details><summary>Telemetry (machine-readable)</summary>");
+  out.push("");
   out.push("```json");
   out.push(
     JSON.stringify(
@@ -6066,6 +6262,19 @@ function localhostAlternateUploadUrl(url) {
     return null;
   }
 }
+function hubUploadUrlCandidates(primaryUrl) {
+  const urls = [];
+  const add = (candidate) => {
+    const trimmed = candidate?.trim();
+    if (trimmed && !urls.includes(trimmed)) urls.push(trimmed);
+  };
+  add(primaryUrl);
+  const direct = process.env.RUNSEC_HUB_DIRECT_ORIGIN?.trim();
+  if (direct) add(appendUploadPath(direct));
+  add(localhostAlternateUploadUrl(primaryUrl));
+  add(dockerInternalAlternateUploadUrl(primaryUrl));
+  return urls;
+}
 function dockerInternalAlternateUploadUrl(url) {
   if (!isDockerRuntime()) return null;
   try {
@@ -6195,7 +6404,7 @@ function formatHubSyncErrorMessage(error, targetUrl, response, responseBody) {
     message += `. Body: ${responseBody.trim().slice(0, 300)}`;
   }
   if (status === "n/a" && /fetch failed|ECONNRESET|ECONNREFUSED|ENOTFOUND|ETIMEDOUT|CERT|SSL|TLS/i.test(err.message + code)) {
-    message += ". Hint: check network/VPN/firewall, retry the scan, or set RUNSEC_HUB_URL to your Hub origin (NEXT_PUBLIC_APP_URL).";
+    message += ". Hint: if Hub uses Cloudflare Tunnel, set HTTP Host Header to runsec.io (not localhost:3000) in the tunnel public hostname settings, or set RUNSEC_HUB_DIRECT_ORIGIN=http://YOUR_SERVER_IP:3000 in MCP env to bypass the tunnel.";
   }
   return message;
 }
@@ -6213,12 +6422,17 @@ function slimFindingForHubUpload(finding) {
     suppression_reason: finding.suppression_reason
   };
 }
-function buildSuppressedSummaryForHub(findings) {
+function buildSuppressedSummaryForHub(findings, includeLocations) {
   const byReason = {};
-  const locations = [];
   for (const f of findings) {
     const reason = String(f.suppression_reason ?? "cognitive_suppressed");
     byReason[reason] = (byReason[reason] ?? 0) + 1;
+  }
+  const summary = { total: findings.length, by_reason: byReason };
+  if (!includeLocations) return summary;
+  const locations = [];
+  for (const f of findings) {
+    const reason = String(f.suppression_reason ?? "cognitive_suppressed");
     locations.push({
       file_path: f.file_path,
       line: f.line ?? 0,
@@ -6228,7 +6442,8 @@ function buildSuppressedSummaryForHub(findings) {
       severity: f.severity
     });
   }
-  return { total: findings.length, by_reason: byReason, locations };
+  summary.locations = locations;
+  return summary;
 }
 function slimEngineSummaryForHub(engineSummary) {
   if (!engineSummary) return void 0;
@@ -6252,9 +6467,43 @@ function slimReportMetricsForHub(reportMetrics) {
     engine_summary: slimEngineSummaryForHub(engine_summary)
   };
 }
+function minimalRunsecJsonForHubUpload(result, workspacePath, verdict, metrics, compliance, complianceASVS) {
+  return {
+    source: "runsec_mcp",
+    transport: "minimal",
+    standard: result.standard,
+    workspace_path: workspacePath,
+    verdict,
+    metrics,
+    compliance,
+    complianceASVS,
+    duration_ms: result.duration_ms,
+    findings_count: result.findings_count,
+    cognitive_suppressed_count: result.cognitive_suppressed_count,
+    findings_suppressed_summary: buildSuppressedSummaryForHub(result.findings_suppressed, false),
+    cognitive: result.cognitive,
+    engine_summary: slimEngineSummaryForHub(result.engine_summary),
+    verdict_detail: {
+      status: result.verdict?.status,
+      blocking_findings_count: result.verdict?.blocking_findings_count,
+      primary_findings_count: result.verdict?.primary_findings_count
+    }
+  };
+}
 function slimRunsecJsonForHubUpload(result, reportMetrics, workspacePath, verdict, metrics, compliance, complianceASVS) {
+  if (process.env.RUNSEC_HUB_FULL_UPLOAD !== "1") {
+    return minimalRunsecJsonForHubUpload(
+      result,
+      workspacePath,
+      verdict,
+      metrics,
+      compliance,
+      complianceASVS
+    );
+  }
   return {
     source: "runsec_mcp",
+    transport: "full",
     standard: result.standard,
     workspace_path: workspacePath,
     verdict,
@@ -6263,7 +6512,7 @@ function slimRunsecJsonForHubUpload(result, reportMetrics, workspacePath, verdic
     complianceASVS,
     report_metrics: slimReportMetricsForHub(reportMetrics),
     findings: result.findings.map(slimFindingForHubUpload),
-    findings_suppressed_summary: buildSuppressedSummaryForHub(result.findings_suppressed),
+    findings_suppressed_summary: buildSuppressedSummaryForHub(result.findings_suppressed, true),
     findings_suppressed_count: result.findings_suppressed.length,
     duration_ms: result.duration_ms,
     findings_count: result.findings_count,
@@ -6274,6 +6523,32 @@ function slimRunsecJsonForHubUpload(result, reportMetrics, workspacePath, verdic
     verdict_detail: result.verdict
   };
 }
+function toMinimalHubPayload(payload) {
+  const runsecJson = payload.runsecJson ?? {};
+  const minimalJson = {
+    source: "runsec_mcp",
+    transport: "minimal",
+    workspace_path: runsecJson.workspace_path,
+    standard: runsecJson.standard,
+    verdict: payload.verdict,
+    metrics: payload.metrics,
+    compliance: runsecJson.compliance,
+    complianceASVS: runsecJson.complianceASVS,
+    cognitive: runsecJson.cognitive,
+    findings_suppressed_summary: runsecJson.findings_suppressed_summary,
+    findings_suppressed_count: runsecJson.findings_suppressed_count,
+    duration_ms: runsecJson.duration_ms,
+    findings_count: runsecJson.findings_count,
+    engine_summary: runsecJson.engine_summary,
+    verdict_detail: runsecJson.verdict_detail
+  };
+  return {
+    projectId: payload.projectId,
+    verdict: payload.verdict,
+    metrics: payload.metrics,
+    runsecJson: minimalJson
+  };
+}
 function logHubSyncFailure(message, error, targetUrl) {
   if (error != null && targetUrl) {
     dumpHubNetworkError(error, targetUrl);
@@ -6427,39 +6702,44 @@ async function uploadScanResultsToHub(payload, apiKey) {
     console.warn("[runsec] Hub telemetry skipped: API key missing");
     return { success: false, message: "Sync failed: API key missing" };
   }
-  const url = resolveHubUploadUrl();
-  const payloadBytes = Buffer.byteLength(JSON.stringify(payload), "utf8");
-  console.error(`[runsec] Hub telemetry upload \u2192 ${url} (${payloadBytes} bytes)`);
-  const attemptUpload = async (targetUrl) => {
-    const errors = [];
-    const urls = [targetUrl];
-    const localhostAlt = localhostAlternateUploadUrl(targetUrl);
-    if (localhostAlt && localhostAlt !== targetUrl) urls.push(localhostAlt);
-    const dockerAlt = dockerInternalAlternateUploadUrl(targetUrl);
-    if (dockerAlt && !urls.includes(dockerAlt)) urls.push(dockerAlt);
-    let lastError = new Error("No upload attempts made");
-    for (let i = 0; i < urls.length; i++) {
-      const tryUrl = urls[i];
-      if (i > 0) {
-        console.error(`[runsec] Hub telemetry retry \u2192 ${tryUrl}`);
-      }
-      try {
-        return await postHubUpload(tryUrl, trimmedKey, payload);
-      } catch (err) {
-        lastError = err;
-        errors.push(err);
-        dumpHubNetworkError(err, tryUrl);
-      }
-    }
-    throw lastError;
-  };
+  const primaryUrl = resolveHubUploadUrl();
+  const uploadUrls = hubUploadUrlCandidates(primaryUrl);
+  const payloadVariants = [
+    { label: "minimal", body: payload },
+    { label: "minimal-fallback", body: toMinimalHubPayload(payload) }
+  ];
+  const seenPayloads = /* @__PURE__ */ new Set();
+  const uniqueVariants = payloadVariants.filter((variant) => {
+    const key = JSON.stringify(variant.body);
+    if (seenPayloads.has(key)) return false;
+    seenPayloads.add(key);
+    return true;
+  });
+  console.error(
+    `[runsec] Hub telemetry upload targets: ${uploadUrls.join(" \u2192 ")} (${uniqueVariants[0] ? Buffer.byteLength(JSON.stringify(uniqueVariants[0].body), "utf8") : 0} bytes, mode=${String(uniqueVariants[0]?.body.runsecJson.transport ?? "minimal")})`
+  );
+  let lastNetworkError = new Error("No upload attempts made");
+  let lastTryUrl = primaryUrl;
   try {
     let response;
-    try {
-      response = await attemptUpload(url);
-    } catch (networkError) {
-      const message = formatHubSyncErrorMessage(networkError, url);
-      logHubSyncFailure(message, networkError, url);
+    outer: for (const variant of uniqueVariants) {
+      for (const tryUrl of uploadUrls) {
+        lastTryUrl = tryUrl;
+        const bytes = Buffer.byteLength(JSON.stringify(variant.body), "utf8");
+        console.error(`[runsec] Hub upload attempt (${variant.label}, ${bytes} bytes) \u2192 ${tryUrl}`);
+        try {
+          response = await postHubUpload(tryUrl, trimmedKey, variant.body);
+          break outer;
+        } catch (err) {
+          lastNetworkError = err;
+          dumpHubNetworkError(err, tryUrl);
+          if (!isRetryableHubNetworkError(err)) break;
+        }
+      }
+    }
+    if (!response) {
+      const message = formatHubSyncErrorMessage(lastNetworkError, lastTryUrl);
+      logHubSyncFailure(message, lastNetworkError, lastTryUrl);
       return { success: false, message };
     }
     if (!response.ok) {
@@ -6469,11 +6749,11 @@ async function uploadScanResultsToHub(payload, apiKey) {
       const httpMessage = detailSnippet || statusLabel;
       const message = formatHubSyncErrorMessage(
         new Error(httpMessage),
-        url,
+        lastTryUrl,
         response,
         detailSnippet
       );
-      logHubSyncFailure(message, new Error(httpMessage), url);
+      logHubSyncFailure(message, new Error(httpMessage), lastTryUrl);
       return {
         success: false,
         message
@@ -6492,8 +6772,8 @@ async function uploadScanResultsToHub(payload, apiKey) {
       projectId
     };
   } catch (error) {
-    const message = formatHubSyncErrorMessage(error, url);
-    logHubSyncFailure(message, error, url);
+    const message = formatHubSyncErrorMessage(error, lastTryUrl);
+    logHubSyncFailure(message, error, lastTryUrl);
     return { success: false, message };
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.87",
+  "version": "1.0.89",
   "main": "dist/index.js",
   "files": [
     "package.json",